Back to search
CVE-2018-6341
Published: Dec 31, 2018
Modified: May 6, 2025
PUBLISHED
Description
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
| Vendor | Product | Versions |
|---|---|---|
react-dom | affected 16.4.2affected 16.4.0 - < unspecifiedaffected 16.3.3affected 16.3.0 - < unspecifiedaffected 16.2.1+6 more versions |
Weaknesses (CWE)
References
https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html
x_refsource_MISC
https://twitter.com/reactjs/status/1024745321987887104
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now